Техническая Инструкция для Cisco Cisco 2000 Series Wireless LAN Controller
mgmt
♦
data
♦
The
<frmType−val>
indicates if this signature detects data or management frames.
Pattern
= signature pattern. The token value is used to detect packets that match the signature.
There must be at least one
Pattern
token per signature. There can be up to five such tokens per
signature. If the signature has more than one such token, a packet must match the values of all the
tokens in order for the packet to match the signature.
tokens in order for the packet to match the signature.
When the AP receives a packet, the AP takes the byte stream that starts at
<offset>
, ANDs it with
the
<mask>
, and compares the result with
<pattern>
. If the AP finds a match, the AP considers
the packet a match with the signature. The
<pattern−format>
can be preceded by the negation
operator "
!
". In that case, all packets that FAIL the match operation that this section describes are
considered a match with the signature.
•
Freq
= packet match frequency in packets/interval. The value of this token indicates how many
packets per measurement interval must match this signature before the signature
Action
is executed.
A value of 0 indicates that the signature
Action
is taken every time that a packet matches the
signature. The maximum value for this token is 65,535. There must be one
Freq
token per signature.
•
Interval
= measurement interval in seconds. The value of this token indicates the time period that
the threshold (that is, the
Freq
) specifies. The default value for this token is 1 second. The maximum
value for this token is 3600.
•
Quiet
= quiet time in seconds. The value of this token indicates the amount of time that must pass
during which the AP does not receive packets that match the signature before the AP determines that
the attack that the signature indicates has subsided. If the value of the
the attack that the signature indicates has subsided. If the value of the
Freq
token is 0, this token is
ignored. There must be one
Quiet
token per signature.
•
Action
= signature action. This indicates what the AP must do if a packet matches the signature.
This parameter can take values from the
<action−val>
list. There must be one
Action
token per
signature. The
<action−val>
can be one of these two keywords only:
none
= do nothing.
♦
report
= report the match to the switch.
♦
•
Desc
= signature description. This is a string that describes the purpose of the signature. When a
signature match is reported in a Simple Network Management Protocol (SNMP) trap, this string is
supplied to the trap. The maximum length of the description is 100 characters. There must be one
supplied to the trap. The maximum length of the description is 100 characters. There must be one
Desc
token per signature.
•
Controller IDS Standard Signatures
These IDS signatures ship with the controller as standard IDS signatures. You can modify all these
signature parameters, as the Controller IDS Parameters section describes.
signature parameters, as the Controller IDS Parameters section describes.
Revision = 1.000
Name = "Bcast deauth", Ver = 0, Preced= 1, FrmType = mgmt, Pattern = 0:0x00C0:0x03FF,
Pattern = 4:0x01:0x01, Freq=30, Quiet = 300, Action = report, Desc="Broadcast
Deauthentication Frame"
Name = "NULL probe resp 1", Ver = 0, Preced = 2, FrmType = mgmt, Pattern =
0:0x0050:0x03FF, Pattern = 36:0x0000:0xFFFF, Freq=1, Quiet = 300, Action = report, Desc =
"NULL Probe Response − Zero length SSID element"
Name = "NULL probe resp 2", Ver = 0, Preced = 3, FrmType = mgmt, Pattern =
0:0x0050:0x03FF, Pattern = !36:0x00:0xFF, Freq=1, Quiet = 300, Action = report, Desc =
"NULL Probe Response − No SSID element"
Name = "Assoc flood", Ver = 0, Preced= 4, FrmType = mgmt, Pattern = 0:0x0000:0x03FF,
Freq=50, Quiet = 600, Action = report, Desc="Association Request flood"
Name = "Auth Flood", Ver = 0, Preced= 5, FrmType = mgmt, Pattern = 0: 0x00b0: 0x03FF,